AES Advanced Encryption Standard

1
AESAdvanced Encryption Standard

• CSC 7002 Computer Security
• William Roche

http//ouray.cudenver.edu/wrroche/Security/Presen
tation.html
2
Advanced Encryption Standard

• Adopted by National Institute of Standards and
  Technology (NIST) on May 26, 2002.
• AES is a simple design, a high speed algorithm,
  with low memory costs.
• AES is a symmetric block cipher.
• The same key is used to encrypt and decrypt the
  message.
• The plain text and the cipher text are the same
  size.

3
AES Block

• AES has a fixed block size of 128 bits called a
  state
• ABCDEFGHIJKLMNOP
• A E I M 41 45 49 4D
• B F J N 42 46 4A 4E
• C G K O 43 47 4B 4F
• D H L P 44 48 4C 50

(ASCII)
4
AES Key

• AES key is either 128 bits, 192 bits or 256
  bits
• 128 bits (4 words)
• 11223344556677889900AABBCCDDEEFF
• 11 22 33 44
• 55 66 77 88
• 99 00 AA BB
• CC DD EE FF

5
AES Key

• or 192 bits (6 words)
• 1122334455667788
• 9900AABBCCDDEEFF
• 1122334455667788
• 11 22 33 44
• 55 66 77 88
• 99 00 AA BB
• CC DD EE FF
• 11 22 33 44
• 55 66 77 88

or 256 bits (8 words) 1122334455667788 9900AABBCCD
DEEFF 1122334455667788 9900AABBCCDDEEFF 11 22 33
44 55 66 77 88 99 00 AA BB CC DD EE FF 11 22 33
44 55 66 77 88 99 00 AA BB CC DD EE FF
6
Comparisons
7
Security

• The key security feature is the size of the key.

Assuming that one could build a machine that
could recover a DES key in a second (i.e., try
255 keys per second), then it would take that
machine approximately 149 thousand-billion (149
trillion) years to crack a 128-bit AES key. To
put that into perspective, the universe is
believed to be less than 20 billion years old.

• Accepting Moore's Law, doubling processor speed
  every 18 months, AES will be secure for another
  109.5 years.

8
AES Operations

• AES Operates on the binary field GF(28).
• This can be represented as a polynomial b(x)
  with binary coefficients b ? 0,1

b7x7 b6x6 b5x5 b4x4 b3x3 b2x2 b1x b0

• Multiplication in GF(28) consists of multiplying
  two polynomials modulo an irreducible polynomial
  of degree 8.
• AES uses the following irreducible polynomial

m(x) x8 x4 x3 x 1
9
AES Algorithm
10
AES Algorithm
11
AES Algorithm
Key Expansion

• Sample Key
• 11223344556677889900AABBCCDDEEFF
• The first 4 (Nk) words are set equal to the key

w0 11 22 33 44 w1
55 66 77 88 w2 99 00 AA BB
w3 CC DD EE FF
12
AES Algorithm
Key Expansion

• For words 4 through 43
• i Nk // Nk 4
• while (i lt Nb(Nr1)) // Nb(Nr1) 4(101)
  44 temp w i 1
• If ( iNk 0 )
• rotate word left 1 byte
• process each byte through sbox
• XOR with RCONi/Nk-1 // just first byte of
  wi
• w i w i-4 XOR temp
• i

13
AES Algorithm
Key Expansion
w0 11 22 33 44 w1
55 66 77 88 w2
99 00 AA BB w3 CC DD EE FF
i Nk // Nk 4 while (i lt Nb(Nr1)) //
Nb(Nr1) 4(101) 44 temp w i - 1
i 4
temp w3 CC DD EE FF
14
AES Algorithm
Key Expansion

• If ( iNk 0 )
• rotate word left 1 byte
• process each byte through sbox
• XOR with RCONi/Nk-1

temp CC DD EE FF
temp DD EE FF CC
temp sboxDD sboxEE sboxFF sboxCC
C1 28 16 4B

RCON0 01 temp (C1 01) 28
16 4B temp C0 28 16 4B
15
rCon round Constants

• rCon can be implemented with a look-up-table
• 2i in GF(28)
• Removes symmetry and linearity from key expansion.

16
AES Algorithm
Key Expansion

• For words 4 through 43
• i Nk // Nk 4
• while (i lt Nb(Nr1)) // Nb(Nr1) 4(101)
  44
• temp Wi-1
• If (iNk 0)
• rotate word left 1 byte
• process each byte through sbox
• XOR with RCONi // just first element of w
• wi wi-4 XOR temp
• i

i 4
temp C0 28 16 4B
wi wi-4 XOR temp
17
AES AlgorithmKey Expansion
w0 11 22 33 44 w1
55 66 77 88 w2 99 00 AA BB
w3 CC DD EE FF
w4 D1 0A 25 0F
i 4
temp C0 28 16 4B wi wi-4 XOR
temp
w4 (11 C0) (22 28) (33 16) (44
4B)
w4 D1 0A 25 0F
18
AES Algorithm
Key Expansion

• For words 4 through 43
• i Nk // Nk 4 i 5
• while (i lt Nb(Nr1)) // Nb(Nr1) 4(101)
  44 temp wi-1
• If (iNk 0)
• rotate word left 1 byte
• process each byte through sbox
• XOR with RCONi/Nk-1 // just first element of
  W
• wi wi-4 XOR temp
• i

temp w4 D1 0A 25 0F
19
AES Algorithm
Key Expansion
w0 11 22 33 44 w1
55 66 77 88 w2 99 00 AA BB
w3 CC DD EE FF
w4 D1 0A 25 0F
i 5
temp D1 0A 25 0F wi wi-4 XOR temp
w5 (55 D1) (66 0A) (77 25) (88
0F)
w5 84 C6 52 87
20
(No Transcript)
21
AES Algorithm
22
AES Algorithm
23
AES Algorithm AddRoundKey
Expanded Key w0 ? w4
State
After AddRoundKey
24
AES Algorithm
25
AES Algorithm SubBytes

• SubBytes is the SBOX for AES
• This make AES a non-linear cryptographic system.
• For every value of b there is a unique value for
  b
• It is faster to use a substitution table (and
  easier).

x is the inverse value of the byte b
26
AES AlgorithmSubBytes
27
AES Algorithm SubBytes
State
28
AES Algorithm
29
AES AlgorithmShiftRows

• Simple routine which performs a left shift rows
  1, 2 and 3 by 1, 2 and 3 bytes respectively

Before Shift Rows
After Shift Rows
30
AES Algorithm
31
AES Algorithm - MixColumns

• This with shift rows provides diffusion
• The columns are considered polynomials over
  GF(28) and multiplied modulo x41 with a(x) where
  a(x) 03x3 01x2 01x 02 NOTE x41
  is relatively prime to a(x)
• aj ? (aja(x))mod(x41)
• This can also be written as matrix
  multiplication.

32
AES Algorithm - MixColumns
a0 2a0 3a1 a2 a3 a1 a0 2a1 3a2
a3 a2 a0 a1 2a2 3a3 a3 3a0 a1 a2
2a3
a0 2a0 ? 3a1 ? a2 ? a3 a1 a0 ? 2a1 ? 3a2 ?
a3 a2 a0 ? a1 ? 2a2 ? 3a3 a3 3a0 ? a1 ? a2
? 2a3

Addition is easy in GF(28) Addition is just
the XOR operation
Multiplication by 1 is easy in GF(28)
Multiplication by one is the identity
Multiplication by 2 in GF(28) takes some work

. If
multiplying by a value lt 0x80 just shift all the
bits left by 1
. If multiplying by a value 0x80
shift left by 1 and XOR with 0x1b
. This prevents overflow
and keeps the values within range
To Multiply by 3 in GF(28) a 0x03 a
(0x02 0x01) (a 0x02) ? (a 0x01)
33
AES Algorithm
34
Sample Conversions
35
AES Algorithm
Encryption
Decryption
Cipher Text
PlainText
AddRoundKey
AddRoundKey
1st Round
RoundKey
RoundKey
1st Round
SubBytes
InvShiftRows
Repeat Nr -1 Round
Repeat Nr -1 Round
ShiftRows
InvSubBytes
MixColumns
AddRoundKey
RoundKey
RoundKey
AddRoundKey
InvMixColumns
SubBytes
InvShiftRows
Last Round
Last Round
ShiftRows
InvSubBytes
RoundKey
RoundKey
AddRoundKey
AddRoundKey
Plain Text
CipherText
RoundKey Added in reverse order
36
Larger Plain Texts

• How to avoid frequency analysis?
• Cipher Block Chaining

37
Padding

• If plaintext messages are not divisible by 16
  bytes. Padding may be a solution.
• An easy method is to add a single 1 bit at the
  end of the message followed by enough 0s to fill
  the block.
• If the block is filled, encode one more block
  with a 1 followed by 0s.

38
Attacks on AES

• Differential Cryptanalysis Study of how
  differences in input affect differences in
  output.
• Greatly reduced due to high number of rounds.
• Linear Cryptanalysis Study of correlations
  between input and output.
• SBOX Mix Columns are designed to frustrate
  Linear Analysis

39
Attacks on AES

• Side Channel Attacks Attacks based on studying
  and measuring the actual implementation of the
  code.
• For some implementations of AES the key has been
  obtained in under 100 minutes.
• Computer running AES was 850MHz, Pentium III
  running FreeBSD 4.8

40
Types of Side Channel Attacks

• Timing Attacks Watches movement of data in and
  out of the CPU or memory.
• It is difficult to retrieve an array element in a
  time that is not dependent on the index value.
• Power Attacks Watches power consumption by CPU
  or memory.
• Changing one bit requires considerably less power
  than changing all bits in a byte.

41
Attack Precautions

• Avoid use of arrays. Compute values in SBOX and
  rCon.
• Design algorithms and devices to work with
  constant time intervals. (independent of key and
  plaintext.)
• Hidden CPU timing data is a threat.
• Use same memory throughout, Cache is faster than
  DRAM
• Compute Key Expansion on the fly.
• Utilize pipelining to stabilize CPU power
  consumption.

42
Joan Daemen Vincent Rijmens
AES Selling Points

• Extremely fast compared to other block ciphers.
  (tradeoff between size and speed)
• The round transformation is parallel by design.
  Important in dedicated hardware.
• Amenable to pipelining
• The cipher does not use arithmetic operations so
  has no bias towards big or little endian
  architectures.

43
Joan Daemen Vincent Rijmens
AES Selling Points

• Fully Self-supporting. Does not use Sboxes of
  other ciphers, bits from Rand tables, digits of
  ? or any other such jokes.
• Is not based on obscure or not well understood
  processes
• The tight cipher design does not leave enough
  room to hide a trap door.

44
Joan Daemen Vincent Rijmens
AES Limitations

• The inverse cipher is less suited to smart cards,
  as it takes more codes and cycles.
• The cipher and inverse cipher make use of
  different codes and/or tables.
• In hardware, The inverse cipher can only
  partially re-use circuitry which implements the
  cipher.

45
References
About AES AES Proposal Rijndael Joan Daemen,
Vincent Rijmen, 2nd version of document to NIST
Polynomials in the Nations Service Using
Algebra to Design the Advanced Encryption
Standard Susan Landau The Mathmatical Association
of America, Monthly 111 Feb 2004 Page(s)89-117 S
electing the Advanced Encryption Standard
Burr, W.E. Security Privacy Magazine,
IEEE Volume 1, Issue 2, Mar-Apr 2003 Page(s)43 -
52 Title Introduction to Cryptography Author
Johannes A Buchman Publisher Springer 2 edition
(July 13, 2004)
46
References
Security and Attacking AES Power-analysis attack
on an ASIC AES implementation Ors, S.B.
Gurkaynak, F. Oswald, E. Preneel,
B.Information Technology Coding and Computing,
2004. Proceedings. ITCC 2004. International
Conference onVolume 2, 2004 Page(s)546 -
552 Vol.2 Algebraic attacks on cipher
systems Penzhorn, W.T. AFRICON, 2004. 7th
AFRICON Conference in Africa Volume 2, 2004
Page(s)969 - 974 Vol.2 Cache-Timing attacks on
AES Daniel J Bernstein Preliminary version of
report to National Science Foundation, grant
CCR-9983950
47
References
Applications / Implementations AES A high
throughput low cost AES processor Chih-Pin Su
Tsung-Fu Lin Chih-Tsiun Huang Cheng-Wen
Wu Communications Magazine, IEEE Volume
41, Issue 12, Dec. 2003 Page(s)86 - 91 An
efficient FPGA implementation of advanced
encryption standard algorithm Shuenn-Shyang Wang
Wan-Sheng Ni Circuits and Systems, 2004. ISCAS
'04. Volume 2, 23-26 May 2004 Page(s)II -
597-600 Vol.2 High-speed VLSI architectures for
the AES algorithm Xinmiao Zhang Parhi,
K.K. Very Large Scale Integration (VLSI)
Systems Volume 12, Issue 9, Sept. 2004
Page(s)957 967 Fast implementation of AES
cryptographic algorithms in smart cards Chi-Feng
Lu Yan-Shun Kao Hsia-Ling Chiang Chung-Huang
Yang Security Technology, 2003. 14-16 Oct. 2003
Page(s)573 - 579
48
References
Applications / Implementations AES A new VLSI
implementation of the AES algorithm Liang Deng
Hongyi Chen Communications, Circuits and Systems
and West Sino Expositions, IEEE 2002
International Conference on Volume 2, 29 June-1
July 2002 Page(s)1500 - 1504 vol.2